Migrating To Intune - v1 - 1
Migrating To Intune - v1 - 1
More and more organizations with existing enterprise mobility management solutions are
considering migrating to Microsoft Intune. Intune’s rapidly expanding mobile device
management (MDM) and mobile application management (MAM) feature set offers many
organizations improvements over their existing enterprise mobility management solutions.
Intune also includes tight integration with Azure Active Directory Premium, Azure Rights
Management Service as part of the Microsoft Enterprise Mobility Suite.
This document provides high-level guidance for you to consider when migrating your devices
and users to Intune from an existing enterprise mobility management solution. It outlines the
basic planning and migration considerations, best practices, and provides links to configuration
guidance that you can use to get started with a migration to Intune.
If you purchase licenses for Microsoft Intune, you can use the "FastTrack Center Benefit," a
service where Microsoft specialists work with you to get your environment ready for Intune. See
the Microsoft Intune Service Benefit Description for more details.
This document focuses on the main stages of migrating to Intune from an existing enterprise
mobility management solution:
Before you begin
Setting up Intune
Configuring Intune
Piloting Intune
Migrating to Intune
Setup Intune
Review infrastructure requirements and architecture
Understanding the Intune service requirements and differences between your existing enterprise
mobility solution and Intune is crucial to a successful migration. For example, Intune is tightly
integrated with other Microsoft services and products that may provide additional benefits to
other areas of your organization. A careful analysis of how these other services currently interact
with your existing enterprise mobility solution may illuminate how Intune will manage these
relationships.
After completing the process of creating a new Intune tenant or adding Intune to your existing
onmicrosoft.com tenant, you’ll be automatically signed in to the Microsoft Intune account portal
with the global administrator account.
Prepare Intune
To get started, you’ll need to configure a few basic Intune service settings:
In the Office 365 Management Portal: Add the users you want to test manage with Intune.
If you added Intune to an existing tenant where Active Directory Federation Services (AD FS)
and a synchronization technology are already in place, you’ll simply need to enable licenses
for your Intune pilot users.
If this is not the case, for most medium-level and enterprise-level organizations, connecting
your existing directory services to Intune via Azure Active Directory is the best and most
convenient way to manage user identity with Intune. This is especially true if you already use
other Microsoft cloud services, such as Office 365 or Exchange Online. Synchronizing your
existing user accounts using Microsoft's AD Connect is a quick and easy way to connect your
on-premises Active Directory to Azure Active Directory and configure a single sign-on
authentication experience for your users. Azure AD Connect encompasses functionality that
was previously released as DirSync and Azure AD Sync.
To migrate users to Intune they shouldn’t have their devices currently managed by your
existing enterprise mobility solution. If they are, unenroll their devices and user accounts in
accordance with the guidance from your existing mobile device management solution
provider. You’ll also need to assign Intune licenses to your pilot users in the Office 365
Management Portal.
Important: If you’ve configured conditional access to corporate resources in your existing
solution for these pilot users and devices, the considerations covered in the controlling
access to corporate resources section will apply.
In the Intune Admin Console: Select the Start Managing Mobile Devices button to select
your Mobile Device Management Authority, and enable mobile devices for each platform
you plan to support in your organization.
o Enable Android devices
o Enable iOS and Mac devices
o Enable Windows Phone devices
o Enable Windows devices
Note for Windows Phone and Windows devices: It isn’t necessary to specify the DNS
entries listed in the TechNet topics for piloting Windows Phone and Windows devices if your
current DNS CNAME entries already point to your existing enterprise mobility management
solution provider. Changing the DNS entries may impact your current production users and
devices. To piloting Intune with Windows Phone or Windows devices, you can work around
this by:
Windows Phone: During the enrollment process, users are prompted for the
management server name if you do not create the CNAME record for
“enterpriseenrollment.company_domain.com”. Simply enter “manage.microsoft.com”
for this value to complete the enrollment.
Windows 8.1: Create a registry key on your Windows 8.1 device for the Intune
enrollment server address if you do not wish to configure the
“enterpriseregistration.company_domain.com” DNS entry.
After you’ve completed these steps and configured the necessary platform requirements, you’re
ready to start enrolling devices in Intune if you’d like test service connectivity and the basic
enrollment process. Users can enroll and manage their devices with the Company Portal app
using their credentials or you can enroll devices with the Device Enrollment Manager. It’s
important to remember that you haven’t configured any Intune configuration or compliance
polices yet, so these devices are enrolled but are not targeted for policies, applications, or other
corporate resources.
Configure Intune
Intune offers a very comprehensive set of mobile device and mobile application management
features and capabilities. In this step, you’ll need to determine what configuration and
compliance policies need to be configured to match the policies of your current enterprise
mobility management solution. You’ll also need to fully understand the management process for
these policies in the Intune architecture and how they manage and protect corporate resources.
Device settings: Intune allows you to configure a wide range of settings that you can
deploy to managed devices in your organization. These policies can be configured for each
device platform type and can manage the most up-to-date device settings available.
Email: Email profiles in Intune allow you to create and deploy profiles that can automatically
configure devices with appropriate email server information so that users can connect to
their email mailbox. This helps users connect to the correct email server and prevents the
need for users to have to try to remember email server names. Provisioning email profiles via
Intune also allows you to remove email from devices as part of a selective wipe process.
Intune can configure the native email for iOS, Samsung KNOX Android devices, and
Windows Phone 8.0 or later. Intune also supports the Outlook app for both iOS and Android
devices as a MAM-enabled application.
Wireless: To simplify connections to wireless networks, you can manage these connections
using Intune wireless profiles that outline the specific settings devices need to configure in
order to connect to the wireless network. This may include automatically configuring a
custom network name, network Service Set Identifier (SSID), security settings, network proxy,
and whether or not the device should automatically connect to the wireless network when
the device is in range.
VPN: Secure remote access to corporate resources often includes using a defined VPN
connection type from the mobile device that manages user account credentials to
authenticate the VPN connection. You may have a vendor-specific VPN application for your
mobile devices, or it may be supported by your existing enterprise mobility management
solution. To simplify connections to VPNs after the migration, you can manage these
connections using Intune VPN profiles. Depending on integration support, managing VPN
connections with Intune may or may not be an option with certain VPN platforms.
Certificates: Most enterprise mobility management solutions natively support digital
certificates, either self-signed or issued from a third party Certificate Authorities (CAs), to
authenticate mobile devices to networks connections or specific network resources. To
simplify managing digital certificates after the migration, you can manage certificates using
Intune certificate profiles. Intune provides a uniform, centralized method for managing
certificates, including how they are created, issued, and renewed.
Conditional access: Conditional access in Intune controls whether or not users (or user
groups) can access corporate resources such as SharePoint Online, Exchange Online, and
Exchange on-premises. If a device isn’t enrolled in Intune and compliant with your
compliance policies, the user won’t have access to these resources from that device.
Additionally, if you’re blocking Exchange ActiveSync (EAS) connectivity at the network layer
for externally connecting devices (such as mobile devices on a wireless carrier’s network),
you’ll need to allow EAS access for Intune’s conditional access policies to work correctly.
Make sure you’ve reviewed the considerations in the controlling access to corporate
resources section before enabling conditional access policies.
Application delivery & software: Intune offers a variety of methods for managing
applications, including publishing applications and deploying both in-house developed
applications and store apps.
Mobile application management: Intune MAM policies allow you modify the functionality
of native MAM-enabled applications to help provide data protection and security. For
example, you can restrict cut, copy, and paste for MAM-enabled apps. When deploying
these native MAM-enabled apps you can define policies for these apps during the
deployment.
App wrapping: The Microsoft Intune App Wrapping Tool for iOS and Android allows you to
modify and restrict the behavior of your in-house developed apps without modifying the
code of the app itself. When your in-house iOS and Android apps are “wrapped”, you can
provide data protection controls such as restrict cut, copy, and paste.
Important. When these apps have been built using the SDK for your current enterprise
mobility management solution or wrapped using your existing solution’s wrapper, Intune will
not support that functionality. You’ll need to recompile these apps with the Intune App SDK
or the use the Intune App Wrapper Tool as appropriate.
Terms and conditions: Intune allows you to configure customized terms and conditions
that your users must accept prior to enrolling a device in Intune. This feature includes
versioning control and allows you to generate reports to view which users have accepted the
terms and conditions, what version they accepted, and when they accepted the terms. We
recommend investigating if you can use your existing terms and conditions in Intune early in
your planning phase as engaging different legal resources may extend your migration
timeline.
Pilot Intune
Now you’re ready to start your pilot deployment of Intune with selected users and devices.
Remember, the devices you test in the pilot deployment need to be unenrolled from your
existing enterprise mobility management platform before they are enrolled in Intune.
A typical pilot may last for several weeks and should include an appropriate number of users
and devices based on the size of your organization. You should use this time to train your IT
staff on how to enroll and troubleshoot problems for all of the platforms you’ll support.
Additionally, you should consider feedback from your pilot users in developing your user
enrollment documentation and communications for your full-scale deployment of Intune.
After you’ve tested and validated your pilot deployment of Intune, you’re ready to schedule the
migration of the rest of the users and devices in your organization to Intune.
Migrate to Intune
The migration to Intune from your existing enterprise mobility management solution may follow
the general sequence of steps below:
Notify users: Once you’re comfortable that the Intune pilot deployment has met your
requirements, communicate with your users about the upcoming migration of their devices to
Intune. Email messages, instructions, and posters can help set expectations and provide
enrollment details on the steps users need to take in order to maintain uninterrupted
connectivity to company resources and applications. Make sure your support team is ready to
assist users in the migration process.
Enrolling devices in Intune: Users scheduled for migration should immediately enroll in Intune
to either regain or prevent loss of access to corporate resources, email, and applications. If
you’ve configured conditional access and users try to connect to email before enrolling in
Intune, their access will be blocked and an enrollment email will greet them. This email will
guide them to enroll their device in Intune. Alternatively, users can enroll in Intune via the
Intune Company Portal app or natively through the operating system on Windows 8.1 and
Windows 10 Mobile. Refer to “What to tell your end users about using Microsoft Intune” for
further guidance on enrollment steps per platform.
For the most current comparison of these features by mobile device operating system platform,
be sure to check out Mobile device security policy settings in Microsoft Intune.